The Relationship Between Business Risk and Security and the Role of the Modern CISO
Today, businesses face more risk than ever, and modern security teams shoulder the enormous responsibility of protecting their organization’s most sensitive and valuable data. Cybersecurity has become a business guardian and enabler, its critical role being the management and control of organizational risk. Savvy executive leaders are well aware of how important security has become to the function and success of their businesses.
It’s easy to understand the importance of cybersecurity for business, but what about business risk’s impact on the shape of security today? How does an organization’s view of business risk shape it’s security posture and priorities? What’s the nature of the relationship between business risk and cybersecurity, and how does this affect the role of the modern CISO?
We sat down with current security leaders Gary–Hayslip, Global CISO and assist for Softbank; Eric Cole, founder of Secure Anchor Consulting; Chris Hymes, CISO for Riot Games; and Charlie McNerney, CISO for Expedia Group to help us better understand the interconnected relationship between business risk and security and the role of today’s CISO.
Bridging two worlds
Engineers are tactical, technical, and put out fires. They speak the lingo of attack factors, data exfiltration, and threat hunting. Business leaders are numbers and results-driven–speaking the boardroom lingo of business, money, and spreadsheet probabilities. Both care about organizational security, but each views risk through different colored lenses, creating priority number one for security–finding a CISO capable of understanding risk from both a business and technical perspective while navigating both worlds with equal agility.
The most successful CISO understands risk from technical and business perspectives, seamlessly bridging the gap between the two divergent worlds. The modern CISO can come from an engineering background but must fill a strategic executive role focusing on business, strategy, and leadership. Eric Cole explains, “CISO isn’t a technical position, rather a strategic one. They focus on growing the business. They understand financials, revenue, and profit margins, and their focus needs to be on integrating security as a business enabler.”
A CISO’s job involves being a business-focused assessor and manager of risk, a tech-savvy interpreter who breaks threats down into business-relatable info-bites for executives. Security leaders must advise business leaders on the impact, severity, and likelihood of risks while communicating the need for controls to keep the organization safe. “As a CISO, you’ve got to be comfortable in business decision-making conversations,” explains Cole.
A significant problem today stems from the inability of many CISOs to understand and effectively address what executive leaders care about concerning risk. This lack of understanding often results in executives tuning out and devaluing the CISO–possibly the reason why many get terminated after short tours of duty. So what information does the board want from the CISO? For results-driven executives, it boils down to four essentials. Cole explains, “Here are the only four things our board cares about; what could happen, what’s the likelihood it could happen, what’s the cost if it occurs, and what’s the cost to fix it? It’s all money and business-related.”
Mission drives security posture
As a 20 year veteran of military service, Gary Hayslip is comfortable working with a purpose and toiling for a mission. He understands the importance of knowing who you are and what you represent as an organization. He also knows how a business views risk, their appetite for allowing risk, will shine through in their mission statement or guiding business philosophy. A business mission statement can guide security teams when looking at risk, identifying priorities, and determining posture.
As a security leader in the business world, Gary wasted no time in aligning security strategy with his company’s internal mission. He explains, “These were the things we were looking at, and it was all focused on how we were going to go ahead and support the mission of the company.”
An organization’s mission reflects its view of risk, and that internal mission will inevitably guide security leaders in formulating a plan moving forward. Mission statements lead to action statements which lead to action plans. “We built out a three-year strategic plan of things we wanted to improve to reduce risk, and it all tied back to specific action statements relating to our internal mission of how we were going to support the company,” says Hayslip.
Maintaining a healthy perspective on risk
Many executives view risk seriously–and they should because many risks pose severe threats to business operations. However, this dire perspective on risk from above can foster an “everything is critical” mindset, putting security teams in perpetual crisis firefighting mode. Treating every risk as dire and managing with fear doesn’t breed better security and inevitably results in employee burnout. Chris Hymes weighs in on the perils of this thinking, “One of the most dangerous things from my experience was people being okay with managing by fear, and who enjoyed making things a crisis. We need people ready to take risks and innovate because that’s what the adversary is doing. If they burn out or are afraid of any measure, afraid of the boss, afraid of an outcome, they won’t innovate, and that leads to indifference. It’s amazing what people can accomplish when the pressure is removed.”
All risks should be taken seriously but kept in perspective–fostering a security culture of stressed urgency driven by fear is counter to long-term success. Organizations need to ensure their security leaders and teams are rested and understand that, yes, mistakes will happen but learning from them and innovating is the key to an improved security posture. Hymes candidly adds, “I make mistakes all the time. Other people on our team make mistakes but what we care about is that people thought through what they were doing as much as they could, then we made sure to go back and share everything that went wrong.”
In today’s fast-moving business world, organizations often need to push the risk envelope to achieve valued gains. This can create a divergence between the two camps–business executives urging a push forward despite the risk while security leaders clamor for the brakes. In most cases, with upper management’s support, security ends up taking a back seat to business initiatives. This hardly seems fair considering executives possess the decision-making authority while security leaders shoulder the responsibility should the decision backfire.
What is a CISO to do?
Eric Cole has some sage advice for today’s security leaders forced into such an unenviable position. As a CISO, it’s okay to accept an executive decision but don’t hesitate to transfer the unacceptable risk to the appropriate party. “Sometimes you have to realize business is about risk, and as long as you fully inform executives of the risk, you have to be okay with them making the decision. However, if they go over the line of acceptable risk, it’s okay to say, just so you’re aware, the risk is transferring to you, and this will be brought up at the next board meeting.”
Make no mistake–business executives and security leaders view risk from differing perspectives, but each has a unique role to play in the success of any organization. Despite their many differences, they share the overarching goal of a secure and prosperous enterprise.
The organization’s view of risk undoubtedly helps shape security priorities, yet security leaders and teams must operate within industry best practices to keep the business secure and operational. Business objectives drive the organizational mission, which forms the action statements and plans guiding security strategy.
The nature of the business and security relationship surrounding risk is one of intertwined guidance and enablement. Security enables the business to function and thrive while relying on the organization’s appetite for risk to guide its strategy and action planning. Today, this relationship hinges on a CISO who understands risk from both a technical and executive perspective, bridging the gap with strong communication and leadership skills while encouraging the empathy and innovation required to earn the respect and trust of an entire organization.
To learn more about the role of the modern CISO, be sure to listen to the following episodes from our The New CISO Podcast:
Exabeam News Wrap-up – Week of September 5, 2022
The 4 Steps to a Phishing Investigation
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!